The GDPR has contributed to change the global perception of personal data. The new European Regulation is still forcing undertakings and institutions to be compliant. In this context, Data Protection Authorities (“DPA”) are performing an important guidance role in terms of sanctions and penalties imposed to data controllers and processors.
DPAs approach has been reasonable and pondered. In fact, according to the GDPR, sanctions must be effective, proportionate and dissuasive (art.83, 1). The sanction system also includes corrective and monitoring powers in the light of DPAs task of promoting public awareness and conduction investigations over the application of the Regulation.
For instance, DPAs are able to:
Important to notice, the proportionate approach of DPAs is helpful to avoid the paradigm according to which any personal data infringement leads to a pecuniary sanction. In this context, European DPAs shall cooperate promoting a harmonised approach to administrative fines. In such context, article 29 Working Party announced pecuniary fines should not be intended as last resort sanctions. Administrative-pecuniary sanctions shall be imposed by appropriate manners ensuring their efficacy. In conclusion, both excessive penalties as well as mild sanctions might be detrimental for the data protection framework.
In determining the sanction to impose, the DPA has to take in consideration how many data subjects are involved, the legal basis for processing, the extent of the damage and the likely risks for data subjects’ rights and freedoms.
Moreover, administrative fines depend on the circumstances of each individual case. The DPA shall give due regard to
Under these circumstances, we are going to analyse European DPAs decision in order to highlight decision criteria and most likely infringements occurred in certain type of business and contexts. In fact, also politics and religious dimensions may bring to GDPR infringements as happened in Italy with Rousseau platform used by Five Stars Movement.
In conclusion, the analysis and comment of sanction imposed by DPAs might be helpful to figure out how to tailor a robust Data Protection dimension for your own business avoiding standard policies or, even worse, privacy documents generator.
Author: Salvatore Fasciana